This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

decode as http on all ports

0

Hi want to decode all packets as if they were http. How can i do this? The packets that don't have an http.request.uri I will just awk out.

At the moment I have been doing it with this bash script iterating over port numbers. I am sure i must be missing something.

Horrific hack:

#!/bin/bash
for i in `seq 1 65535`;
   do

tshark -r mycap.pcap -d tcp.port==$i,http -T fields -e frame.time -e http.request.method -e http.request.uri -e http.host -e http.user_agent -e tcp.dstport -E  header=y | awk '{if (NR!=1) {print}}' | awk -F'\t' 'x$3' >> output.csv


done

Thanks

Edit:

Found https://www.wireshark.org/docs/man-pages/tshark.html Example: -d tcp.port==8888:3,http will decode any traffic running over TCP ports 8888, 8889 or 8890 as HTTP.

Solution: ./wireshark-1.10.1/tshark -r mycap.pcap -d tcp.port==1-65535,http -T fields -e frame.time -e http.request.method -e http.request.uri -e http.host -e http.user_agent -e tcp.dstport -E header=y

You must have 1.10.1 for it to work.

asked 26 Aug ‘13, 12:37

computeruser1's gravatar image

computeruser1
11224
accept rate: 0%

edited 29 Aug ‘13, 13:33

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

Good question! I wonder this same thing every time I use the “Decode As” dialog box…

(26 Aug ‘13, 12:54) smp

Please cut your answer from the question and paste it into an answer, so that this question is marked as answered, and so that it’s clearer that the question has an answer.

(26 Aug ‘13, 15:51) Guy Harris ♦♦